Mailing List Archive

Cisco Security Advisory: Cisco Small Business Router Password Disclosure Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: Cisco Small Business Router Password Disclosure Vulnerability

Advisory ID: cisco-sa-20140305-rpd

Revision 1.0

For Public Release 2014 March 5 16:00 UTC (GMT)

+---------------------------------------------------------------------

Summary
=======


A vulnerability in the web management interface of the Cisco RV110W Wireless-N VPN Firewall, the Cisco RV215W Wireless-N VPN Router, and the Cisco CVR100W Wireless-N VPN Router could allow an unauthenticated, remote attacker to gain administrative-level access to the web management interface of the affected device.

The vulnerability is due to improper handling of authentication requests by the web framework. An attacker could exploit this vulnerability by intercepting, modifying and resubmitting an authentication request. Successful exploitation of this vulnerability could give an attacker administrative-level access to the web-based administration interface on the affected device.

Cisco has released free software updates that address this vulnerability. There are currently no known workarounds that mitigate this vulnerability. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140305-rpd

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)

iQIVAwUBUxdNdYpI1I6i1Mx3AQKOVQ//fDCH4hGeCpP1cWb2Huz9Oca8WqiDDzFZ
yItR++/l1/vFnQpe7hXmuEt1g/eCSOgV7jF/ILCpEjGN7Kh2zF/uYenBX8t6QYsr
nd/yO9gr82B/MwMPl8W5HU5jlpo+s82sbIr7X5TGv8+m3yTBLfboD27TQzkuzlZH
EoaOd/UnCHWKYJR+ADjG6+HLPY1zvr+gcycsrI8eTPzZmWp5rMjhlNgApYTRcC7P
g9EDG5qkkroEWufZpjC6ZX1KwE227WA8EFe0v34xlPjXYGdQK431qDK02QH85fkb
lOHpqFfRGAjuVyIhp99cQ+bXCx1vsBoB9vul/L0It68yeo8HePnnAlnjNhEkhQZg
cLAwZpEY/ndvcIjj03qfi/q9IFYLpjMrpaJhUJV1Z7Tan2gBf5u5ISlAvqqFIfgo
U6X0Lg8nDvN133I1jLCpdpeUKVm19WXntx5oqo/5YWshdClfP2B7Jx7mKLv72Ff4
BpNMQCAXXfa4xV4YQrMPxUlcfwSs8+BVzMaKN0Ewbph/z6fbW/uTCTmy+D1Guu9q
G2XA2/Hk7h8+O7gJf5OiHFl/5sHlGeLQ3HHN2+jnizOh66vm/Nko8wc7RtMSfWnh
0mOLK7HHYkPFvnZpLVEHHi7l1CcAHIj+qKt2ZX65I7GQgGWq76usZntIaiqAslij
hc8D2np3qGo=
=uInA
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Cisco Security Advisory: Cisco Small Business Router Password Disclosure Vulnerability [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Great, just two days after I purchased on on the premise that this would
be less likely to happen to a "small business" router than a consumer one!

Thanks for being forthcoming,

BW

On 03/05/2014 11:28, Cisco Systems Product Security Incident Response
Team wrote:
> Cisco Security Advisory: Cisco Small Business Router Password
> Disclosure Vulnerability
>
> Advisory ID: cisco-sa-20140305-rpd
>
> Revision 1.0
>
> For Public Release 2014 March 5 16:00 UTC (GMT)
>
> +---------------------------------------------------------------------
>
> Summary =======
>
>
> A vulnerability in the web management interface of the Cisco RV110W
> Wireless-N VPN Firewall, the Cisco RV215W Wireless-N VPN Router,
> and the Cisco CVR100W Wireless-N VPN Router could allow an
> unauthenticated, remote attacker to gain administrative-level
> access to the web management interface of the affected device.
>
> The vulnerability is due to improper handling of authentication
> requests by the web framework. An attacker could exploit this
> vulnerability by intercepting, modifying and resubmitting an
> authentication request. Successful exploitation of this
> vulnerability could give an attacker administrative-level access to
> the web-based administration interface on the affected device.
>
> Cisco has released free software updates that address this
> vulnerability. There are currently no known workarounds that
> mitigate this vulnerability. This advisory is available at the
> following link:
> http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140305-rpd
>
>
>
> _______________________________________________ Full-Disclosure -
> We believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> sponsored by Secunia - http://secunia.com/
>

- --
Brian M. Waters
+1 (908) 380-8214
brian@brianmwaters.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)

iQEcBAEBCgAGBQJTF579AAoJEEYNFaEjEsGoJu4H/30s9m46Yj8k2i5ZsOUaXiBv
c/Z/tHpKD2uNf7kNs1c8KpD5Gvr7R5jvwZzdi6CVzG08qKoWMYPJii5EYlLOVH2R
cK+JQO0sDn7GWbc/5Il7SmarKfkQdYLJxOw2uNxgYiRpImGXiColo7sHP2FkMbxt
BJyNT26n1sAyHJ2XyJsxPo5+xjHPrg8O1tdBsVio/FYp0SestNoW/2oYTNzQb5jl
TzJr5rS90XNxudVXnptl07djCuhDgkT/JZLST9cUCMpVbwOpHqVhzFZhYan/JfeL
Gu43RUS9T1R5p0WPhS1k9L7QkjoWRoqA00sGqwbzq0iHl/XIutDUztP4FSLkFzM=
=my8Z
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/